Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Ubuntu "Hoary" - The best distro around by a long shot.
Posts: 116
Rep:
Very Strange Samba Issue
Hi all,
I run a Samba file server at work, and have been having a strange problem of late.
On the server, we have various shares. Different users have access to different things, and the security is all setup as user-level (based on the groups the user is part of). When it was first setup (twoish months ago), everything worked fine. If I tried to access a share without being in the proper groups, it wouldn't go. If you browsed to them or typed in the path to them, it would give you an error.
However, starting last week or so, everyone can access every share. Doesn't matter what groups they're part of, they can get to any of the Samba shares just by browsing to them. I haven't changed anything on the server, so I have no idea what the problem is. The permissions on the files and the user/group setup is exactly the same as it was.
Distribution: Ubuntu "Hoary" - The best distro around by a long shot.
Posts: 116
Original Poster
Rep:
Quote:
Originally posted by vimal Hi CanadianPenguin,
can you please post your configuration file and the output of the command "testparm". please feel free to contact.
vimal...
Absolutely. smb.conf:
Code:
# Global configuration
[global]
# Stuff about this machine
workgroup = company
netbios name = sbox
server string = Company Server
# We're not using a domain right now, but this trash is neccessary for access lists
# Domain controller stuff
domain master = yes
local master = yes
preferred master = yes
time server = yes
os level = 65
add machine script = /usr/sbin/useradd -d /var/lib/nobody -s /bin/false %u
# Logon stuff
domain logons = yes
security = user
passdb backend = tdbsam
encrypt passwords = yes
username level = 5
username map = /etc/samba/smbusermap
logon path = \\%L\profiles\%U
logon script = logon.bat
logon drive = no
logon home = \\%L\%U\.win_profile
# Network stuff
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
wins support = yes
bind interfaces only = yes
interfaces = eth1 192.168.10.1
hosts allow = 192.168.10.0/24
hosts deny = ALL
name resolve order = host
dns proxy = no
# Share stuff
load printers = no
hide dot files = yes
hide unreadable = yes
wide links = no
public = no
admin users = @tech
hide files = .*/resource.frk/Network Trash Folder/TheVolumeSettingsFolder
hide special files = yes
browseable = no
nt acl support = no
# Domain controller shares
[netlogon]
comment = Network Logon Service
path = /home/netlogon
writeable = no
browseable = no
[profiles]
comment = User Profiles
path = /home/profiles
writeable = yes
browseable = no
create mode = 0600
directory mode = 0700
force user = %U
# Share configuration
[applications]
comment = Programs for Computers
path = /home/applications
writeable = yes
browseable = yes
user = @applications
force group = applications
write list = @tech
read list = @applications
create mode = 0770
directory mode = 0770
preserve case = yes
[fonts]
comment = Fonts
path = /home/fonts
writeable = yes
browseable = yes
user = @fonts
force group = fonts
write list = @tech
read list = @fonts
create mode = 0770
directory mode = 0770
[traffic]
comment = Traffic Art
path = /home/traffic
writeable = yes
browseable = yes
user = @traffic
force group = traffic
write list = @traffic
read list =
create mode = 0770
directory mode = 0770
[customer]
comment = Customer Archives
path = /home/customer
writeable = yes
browseable = yes
user = @customer
force group = customer
write list = @customer
read list =
create mode = 0770
directory mode = 0770
[work]
comment = Work Files
path = /home/work
writeable = yes
browseable = yes
user = @work
force group = work
write list = @work
read list =
create mode = 0770
directory mode = 0770
[admin]
comment = Administration Files
path = /home/admin
writeable = yes
browseable = yes
user = @admin
force group = admin
write list = @admin
read list =
create mode = 0770
directory mode = 0770
[management]
comment = Managment Files
path = /home/management
writeable = yes
browseable = yes
user = @management
force group = management
write list = @management
read list =
create mode = 0770
directory mode = 0770
[sales]
comment = Sales Files
path = /home/sales
writeable = yes
browseable = yes
user = @sales
force group = sales
write list = @sales
read list =
create mode = 0770
directory mode = 0770
[JPEG]
comment = JPEG Image Files
path = /home/JPEG
writeable = yes
browseable = yes
user = @jpeg
force group = jpeg
write list = @jpeg
read list =
create mode = 0770
directory mode = 0770
[quotes]
comment = Sales Quotes
path = /home/quotes
writeable = yes
browseable = yes
user = @quotes
force group = quotes
write list = @quotes
read list =
create mode = 0770
directory mode = 0770
[logos]
comment = Logos
path = /home/logos
writeable = yes
browseable = yes
user = @staff
force group = staff
read list =
write list = @staff
create mode = 0770
directory mode = 0770
[bv32]
comment = BV32 Accounting Files
path = /home/bv32
writeable = yes
browseable = yes
user = @bv32
force group = bv32
write list = @bv32
read list =
create mode = 0770
directory mode = 0770
default case = lower
guest ok = yes
oplocks = no
level2 oplocks = no
[FTP]
comment = FTP Directory
path = /home/ftp
writeable = yes
browseable = yes
user = @ftp
force user = ftp
force group = ftp
write list = @ftp
read list =
create mode = 0770
directory mode = 0770
force directory mode = 0770
# Home directories
[homes]
comment = Home Directories
browseable = no
writeable = yes
testparm:
Code:
Load smb config files from /etc/samba/smb.conf
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[applications]"
Processing section "[fonts]"
Processing section "[traffic]"
Processing section "[customer]"
Processing section "[work]"
Processing section "[admin]"
Processing section "[management]"
Processing section "[sales]"
Processing section "[JPEG]"
Processing section "[quotes]"
Processing section "[logos]"
Processing section "[bv32]"
Processing section "[FTP]"
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
<snip: the smb.conf from above>
Whilst I know little about the security settings in Samba, I am somewhat surprised that you have all your files apparently in the /home directory. Would I be correct in assuming that all your users have access to their own directory in the same place (i.e. /home/user ) ???
Assuming again that only members of the Administrator's group have (or possibly in your case had) access to the [Admin] files, wouldn't it be simpler to keep these in their own directory or sub-directory which can then have its own group access level set at the directory level ???
Is your /etc/passwd shadowed? Have you checked the permissions on the individual directories ? Could someone have learnt the root password and changed them ?
Distribution: Ubuntu "Hoary" - The best distro around by a long shot.
Posts: 116
Original Poster
Rep:
Quote:
Originally posted by minrich Whilst I know little about the security settings in Samba, I am somewhat surprised that you have all your files apparently in the /home directory. Would I be correct in assuming that all your users have access to their own directory in the same place (i.e. /home/user ) ???
Assuming again that only members of the Administrator's group have (or possibly in your case had) access to the [Admin] files, wouldn't it be simpler to keep these in their own directory or sub-directory which can then have its own group access level set at the directory level ???
Is your /etc/passwd shadowed? Have you checked the permissions on the individual directories ? Could someone have learnt the root password and changed them ?
Correct, each user has access to his/her own home directory. However, they don't use these. All the shares have been placed under the home directory for simplicity of partitioning: I can have one big /home partition and all the other partitions can be small since they'll only contain system files.
I don't see what you're saying. The admin files are in /home/admin, which is owned by root.admin and where the Unix permissions are 770 (so that only members of the admin group can access the files in that directory. However, Samba takes care of its own permissions anyway, so the Unix permissions are of no real consequence.
Each samba user is mapped to a real Unix user. No one except me has access to the machine via SSH or physically; everyone else can access it only by Samba, and ideally should only be able to access the shares their group has access to via Samba. Root access is given only with sudo (root can't login directly), and only I can use sudo (/etc/sudoers lists only me). I have a very strong password (12 characters, mix of letters, numbers, symbols, not based on a word in any language, etc...), so I'm fairly certain no one else knows it. Besides which, the permissions on the home directories are as they should be.
Also, I've checked the ACL's (XFS provides ACL support) and they're all correct. We've occaisionally had problems wtih Samba changing ACL's and locking users out of certain files, but they seem fine right now (I think it only happens when the machine crashes and Samba restarts without removing its locks from files).
I could be completely wrong but I think its because your forcing the them to be the only permissable group. So its mapping everyone to the group thats allowed to the directory.
Again could be completely wrong just a thought.
Distribution: Ubuntu "Hoary" - The best distro around by a long shot.
Posts: 116
Original Poster
Rep:
Quote:
Originally posted by jordanmc31 I could be completely wrong but I think its because your forcing the them to be the only permissable group. So its mapping everyone to the group thats allowed to the directory.
Again could be completely wrong just a thought.
Hm, that does sound plausible, I'll have to look into it some more. Just seems strange that it was working fine before and now now.
Yeh, when i was trying to get it to work I found out by forcing a user thats who it has to be. doesn't matter what the login stuff is. But of course the kicker is it used to work fine.
Distribution: Ubuntu "Hoary" - The best distro around by a long shot.
Posts: 116
Original Poster
Rep:
Quote:
Originally posted by jordanmc31 Yeh, when i was trying to get it to work I found out by forcing a user thats who it has to be. doesn't matter what the login stuff is. But of course the kicker is it used to work fine.
Oh yeah, I know the force user doesn't limit the users who can access it. It's the read list and write list that limit access, the force user and force group are just to make sure files have the permissions I want on them.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
